The JavaScript Jungle

There was a slide in the early talks that Cory Ondrejka used to give about Second Life about alien abductions in Second Life. One of the most exciting moments in Second Life for the early Lindens was when a resident constructed a UFO and flew around the world abducting other residents and then returning them to the world with a commemorative t-shirt. It was exciting because it was unanticipated. The Lindens had created a virtual world that enabled interaction and someone had taken it and run with it to create a fun and engaging experience.

The JavaScript first adds a UFO from You’re The Boss 2 to the supplied div along with an SVG canvas containing a hidden translucent tractor beam path before binding to the see and tick events. The tick handler implements a state machine which either moves the UFO towards a random spot, a target creature that the UFO has seen or drags the target off screen for diabolical experimentation.

The most interesting part of the code on line 155 which replaces the target’s position method with one which returns the target’s position, but doesn’t update. This allows the UFO to move the target while the position updates made by the target’s own code call the new read only position method. Tom Parslow‘s boids look especially mournful flapping around and turning towards the flock while being captured.

While the alien abductions in Second Life and the JavaScript jungle are meant to be fun and mostly harmless, the same mechanisms that enable them can be used for griefing in virtual environments and malware in software at large. The ability for scripted objects in Second Life to self replicate caused dozens of problems with grey goo attacks for every amazing virtual ecosystem and many malicious cage attacks for every playful alien abductor.

The message passing concurrency model adopted by LSL actually made direct attacks on other scripts of the kind used by the JavaScript Jungle UFO very hard, but things are much harder in JavaScript’s browser environment even when separating scripts in iFrames.

Luckily projects like Caja and Belay (which is being worked on by another ex-Linden, Mark Lentczner ) are working on the problem of making multiple scripts work safely in the same browser.

The challenge for sandboxes like Second Life and the JavaScript jungle is to allow interesting and meaningful interactions with emergent properties and unanticipated consequences without allowing malicious scripts to destroy that environment. Building the JavaScript Jungle was a lot of fun and made for another great Brighton Digital Festival project. Many congratulations to @premasagar, @ac94, @purge and everyone else for making it a success. Maybe next time we can try to build a secure JavaScript Jungle that is both secure and expressive.